Odd identd behavior

From: Mike Owen (kyphros_at_gmail.com)
Date: 11/11/05

  • Next message: Christopher E. Cramer: "Re: Odd identd behavior"
    Date: Thu, 10 Nov 2005 17:39:50 -0800
    To: incidents@securityfocus.com
    
    

    While going through logs, and looking at mail server ident daemon
    replies that don't fit the RFC-1413 standard, I noticed the following
    string from a few servers:

    "220 ..:: €lit€-Cr€w Rulez ::..."

    Looks to me like this group has been compromising mail servers, and
    then instead of taking them down, lets them continue running, although
    with a slight modification. They probably siphon off a copy of all
    email transiting their servers as well, although without access to any
    of these servers, I can't tell.

    Interesting to note, if you send 2 ident requests, the second one comes back as:

    "220 ..:: €lit€-Cr€w Rulez ::....530 Not logged in..."

    This leads me to believe this is the backdoor into these mail servers,
    after all, if you're trying to hide a backdoor from port scans, or
    dealing with stringent firewall rules, subverting an existing
    listening process is a smart way to do it.

    I have not notified the 0wned sites, mostly because I'm not really
    sure what to do there. I can't email them, which means I have to
    attempt to find a contact, and then call them. Then of course, the
    person I manage to get a hold of needs to understand what I'm trying
    to say, and I have to hope they don't then try and email someone
    telling them that they have been compromised, thereby letting the
    attackers know.

    I'm curious as to whether anyone else has seen ident replies like this.

    Thanks,
    Mike


  • Next message: Christopher E. Cramer: "Re: Odd identd behavior"

    Relevant Pages

    • Re: Port 113 requests?
      ... That's ident, pretty standard stuff. ... the server machine to query the client for what username and uin is ... Many mail servers will attempt to connect to your ident port when you try ... you may experience delayed or dropped connections. ...
      (Incidents)
    • Smart SmartHost selection
      ... due to excessive spam amounts, our mail servers are taking quite a load ... ... I know I can solve 2) by just setting the smarthost, but I would like to not get outgoing customer mails stuck in the large queue that will result from all that junk mail replies ... ... I was thinking, our load balancer could be set to foward mail originating in our network to a different mail server, so that our "regular" incoming mailserver then could just use the "bounce" smarthost... ...
      (comp.mail.sendmail)
    • Re: anti spam with DUL
      ... not all dial-up sites with mail servers are spammers. ... refuse mail from certain servers, then you should not send mail to them ... Please use the corrected version of the address below for replies. ...
      (comp.mail.sendmail)